Vulnerability Management, Encryption

Trend Micro patches four 9.8 bugs in encryption PolicyServer products

White silhouette of padlock made from different letters, numbers and special symbols. Concept of password-protected digital data and information security, computer technology

(Adobe Stock)

Trend Micro earlier this week released security updates to address four critical 9.8 bugs in its encryption PolicyServer offerings.

The bugs were a series of remote code execution (RCE) and authentication bypass flaws in its Apex Central and Trend Micro Endpoint Encryption (TMEE) PolicyServer products.

While Trend Micro said it has yet to observe exploitation in the wild, it advised customers to patch immediately. The four critical CVEs patched are: CVE-2025-49212, CVE-2025-49213, CVE-2035-49216, and CVE-2025-49217.

“Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine,” noted the Trend Micro advisory. “In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.”

Jason Soroko, senior fellow at Sectigo, said security teams running the Trend Micro products should treat the patches as an immediate priority. Soroko explained that Apex Central and PolicyServer govern policy distribution and disk‑encryption keys across whole fleets.

“Six unauthenticated faults let anyone who can reach the management port execute code as SYSTEM or as NETWORK SERVICE,” said Soroko. “A foothold here means an attacker can disable agents, push malware, and recover recovery keys.”

Soroko added that the new CVEs is rooted in unsafe .NET deserialization, the same coding error that surfaced in earlier Trend Micro bugs this year. He said the error pointed to a shared library flaw and suggests that other Trend Micro tools may contain the same weakness.

“Because PolicyServer often ties into Active Directory to escrow recovery keys, a compromise can hand over those keys and open lateral paths toward domain controllers,” said Soroko. “Teams should patch, then hunt for signs of binder abuse in log files, and audit any internal code that reuses the vulnerable serialization patterns.”

Trey Ford, chief information security officer at Bugcrowd, said while he’d normally recommend caution, this series of patches are worth getting done right away. 

Ford said ideally, on-premise software deployments like Apex Central will not be easily accessible to threat actor. However, he said it will have the ability to interact and run code everywhere in an enterprise, so it's worth focusing on when Trend Micro says it's critical.

“Updates released like this are exciting," said Ford. "When you see a chained release train of updates affecting unauthenticated and authenticated remote code escalation vulnerabilities, then privilege escalation - all against security products, those updates want to tell a story. From the outside, there’s no way of telling if this came from a targeted red team engagement, but this chain of vulnerabilities is both solid research, and worth addressing with a sense of urgency and purpose.”

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Asymmetric CryptographyCryptographic Algorithm or HashCryptographic Hash FunctionsCyclic Redundancy Check (CRC)Data WarehousingDigital SignatureDigital Signature Algorithm (DSA)Digital Signature Standard (DSS)Elliptic Curve Cryptography (ECC)Encapsulation

You can skip this ad in 5 seconds